Increasing the usage of facial recognition on social media sites must be bound by proper laws to maintain user data and privacy

I am not a conspiracy theorist – never was, and probably never will be.

Representational Image. Reuters

But when there is chatter online about this new social media feature that uses facial recognition technology more than it previously did and claims to do so to, among other things, ensure that the user’s identity is better protected and the user is able to even see pictures that he may not be tagged in by using facial recognition technology thereby giving the user an update that an image of him has been shared, such chatter definitely gets my attention!

It’s no secret that facial recognition technology has grown leaps and bounds in the last decade. The rise of global information technology giants like Google and Facebook has resulted in facial recognition technology being relied heavily to recognise users on social media platforms. While Google permits users to reverse search images subject to certain criteria, Facebook permits its 2 billion-plus users to tag images of themselves and their friends, which are reportedly stored on to its servers.

Privacy advocates have expressed concerns that the tagged images of users have provided the US-headquartered tech giant with a voluminous database of faces and personal data including the places where users vacation, eat, study, work and even reside. It’s a no-brainer that such a large amount of data is a potential gold-mine for anyone including governments and their agencies or even third parties in ensuring they have enough background data on anyone of interest to them.

Image: Reuters

In fact, a five-judge Constitution bench of the Supreme Court of India led by the Chief Justice of India had in September of 2017 pin-pointedly asked Facebook and WhatsApp to inform the court if they had ever shared any user details with third parties. The implications of that question, however, is for another article, sometime soon.

Technology has evolved from mere facial recognition for social media use. Multiple media outlets that write on tech advances have reported that Facebook has filed for a patent with the United States Patent and Trademark Office that indicates its intention to move into the retail payments market by using facial recognition as a secure means to ascertain customer identities.

While the aforesaid advances are praise-worthy, what causes apprehension is the security hazards such technological advances pose. Taking the case of Facebook for instance – the new facial recognition algorithm it has employed on its website would mean that a user would even know when someone who they have probably never heard of has used such a user’s photograph as a profile picture or has otherwise uploaded it. This, in other words, means that the tech giant has probably mastered the art of connecting names with faces on its platform without the need for a human coordinator. This further means that the social media platform can now recognise the distinctive and unique facial features of its users (biometrics, if you would) and connect the same to ascertain their real identity – and no this is not something out of George Orwell’s 1984 or an ‘inspired’ work. While the facial recognition technology update offered by Facebook has been released in most jurisdictions of the world, it is not available for users in Canada and the European Union where Facebook does not offer face recognition technology on account of privacy concerns.

The question that remains unanswered, however, is what happens when governments require corporations to hand-over such data to either investigate their own citizens or to keep a tab on their whereabouts. Where does the line get drawn? It is no secret that corporations like Google, Facebook, Twitter and their not-so-similar like including cross-platform instant messaging and voice over internet protocol service provider WhatsApp have to comply with the laws of the jurisdictions out of which they operate. Most of these corporations mention in their terms of use that they are required to comply with requests to share information as may be mandated by the law of the jurisdiction. This means that information shared by a user on social media can be obtained by the State by following the procedure mandated to procure such information which may range from requests to share such information to even a letter rogatory, i.e. a formal request made by a court to a foreign court requesting assistance in matters.

While the Supreme Court of India had ruled that privacy is a fundamental right, it ought to be noted that information shared on social media by a user may not necessarily fall under the private category since it is in the public domain. Therefore, a user may not be able to claim privacy for information or pictures that he/ she has knowingly uploaded onto social media platforms, provided, however, that the images and/ or information are not shared by the corporation with third parties/ entities. Most corporations also have terms and conditions that require the user to grant the corporation a non-exclusive, sub-licensable, transferable, royalty-free worldwide license to use the content shared by the user, which in other words means that the corporations have some rights over such content.

Facial recognition. Image: Reuters

In the early 2000’s, Professor Lawrence Lessig of the Harvard University famously remarked, “Left to itself, cyberspace will become a perfect tool of control.” About eighteen years later, the prophecy-like words have come closer to fruition with the sheer amount of personal data that is shared by users on the world-wide-web.

The government of India has also launched a Centralised Monitoring System which means that the Department of Telecommunications can lawfully intercept and monitor telecommunications in the interest of ‘national security interests’, a phraseology that has arguably the widest and greyest definition ever.

Today, apart from the Information Technology Act, 2000 and the rules thereunder, there exist very few laws that would protect the information and data of India’s citizens. Such vast data shared by citizens on the world wide web implies that it is that much easier for the State to keep tabs on its citizens, which would also mean that the State and its agencies would be crossing a dangerous line if the information shared by it is not obtained through the proper channels, i.e. in accordance with the procedure established by law.

It is not new for States to control its citizens' web searching habits. The Republic of China has altogether banned several websites and social media platforms giving rise to Chinese micro-blogging website ‘Weibo’ which translated literally means ‘microblog’.

India does not have such restrictions on freedom to surf the web, so those concerns are allayed – for now at least.

However, what is of concern is the lack of legislation that would protect citizens from unauthorized surveillance or identification or infringement of privacy that are not in accordance with a procedure established by law. The country cannot afford to lag behind in this regard, not when the present establishment is pushing for a ‘digital India’ since a digital India that does not have its basic security and privacy infrastructure in place is for all practical purposes an unsafe India.

Globally, such legislation does exist and India would not be a path-breaker, at least not in this sense. As a matter of fact, there have been several cases where social media websites have been sued by users who claimed, among other things, the use and storage of face scans that they termed biometric data violated state laws. The outcomes of these cases will determine how privacy is viewed in these jurisdictions.

In India, on the other hand, privacy is now a fundamental right. The enforcing of it, however, still seems to be distant. Guidelines to prevent any untoward incidents involving the corporations that store such voluminous data is the need of the hour and the legislature needs to get moving in this regard. We cannot afford situations where user data has been compromised or privacy infringed by mass surveillance programmes that may be easily taken up on account of the personal data shared online.

Mass surveillance.

And again, I am not a conspiracy theorist. All I happen to be is a lawyer who follows, adheres, admires and respects the Constitution of India and now seeks to help protect the newest fundamental rights of its citizens in this globalized and digital world where borders do not exist, at least not online.

The writer is an advocate at the Bombay High Court and was a former journalist with some of India’s leading dailies covering the Mumbai Police Crime Branch and the crime beat including cybersecurity and data privacy.